Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by

Share this article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?


Global Views 360

Publication Date

January 13, 2021


SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

July 19, 2021 12:00 PM

The Blasphemy Law of Pakistan and its Implications

In Pakistan, Blasphemy results in a capital punishment in majority of cases. It is perhaps considered a crime worse than terrorism. A crucial case in point is the fact that the Pakistan’s Anti-Terrorism Court gave around 15 years jail term to two close aides of Hafiz Saeed—chief of the terrorist organization—Lashkar-e-Taiba—and mastermind behind 2008 Mumbai terrorist attacks—where at least 150 innocent people lost their lives.

Similarly, Zakiur Rehman Lakhvi—Lashkar-e-Taiba’s operation commander and another important figure involved in the 2008 Mumbai attack—was sentenced to 15 years in jail period. Not to mention—this happened amidst the international pressure on Pakistan for letting terrorists to function and roam freely within their country.

While something as violent as terrorism is dealt with lenient punishments, there are draconian laws for blasphemy in the country. Moreover, one can be accused of committing blasphemy—doesn’t matter if they did it or not—and might not even face a fair trial.

This article discusses what are the blasphemy laws and what are their implications while looking at some specific cases.

What are Pakistan’s Blasphemy laws?

What's called Blasphemy law today has its origins in the colonial era. The “offences relating to religion” were introduced by British in 1860, and were later expanded in 1927. These were sections 295 and 295-A from the Indian Penal Code. The laws were made to avoid religious disturbances, insult religious beliefs, or intentionally destroy or desecrate a place or an object of worship. Under the 295 and 295-A, the convicted were to be given a jail term from one year to ten years—with or without a fine.

Pakistan ended up inheriting these laws after the partition of India in 1947.

The laws were amended in 1982 and another clause was added which prescribed life imprisonment for desecration of the Quran intentionally. Another clause was added in 1986 to punish blasphemy against the Prophet Muhammad through imprisonment for life or death. These clauses, were added under General Zia-ul-Haq’s military regime, in an order to make the laws more “pro-Islam.”

Since then, this law has often been used to persecute people from minority communities—such as the Ahmadiyas, Shias, Christians, and Hindus—they have been accused of blasphemy without much evidence.

Infamous cases and implications of blasphemy in Pakistan

One of the famous cases was of Asia Bibi, which grabbed international attention as well. Asia Noreen—known as Asia Bibi—was a Pakistani Christan and a farm laborer in Punjab province. Her husband, Ashiq Masih, was a brick laborer. A dispute with her Muslim neighbours turned into an accusation of blasphemy—leading to her arrest and imprisoned. There were a lot of protests in Pakistan, demanding death penalty for Asia Bibi.

Two politicians—Salman Taseer and Shahbaz Bhatti—who supported and tried to help Asia Bibi, were murdered. Taseer was shot by his own bodyguard named Malik Mumtaz Hussain Qadri in broad daylight. Qadri was tried and sentenced to death. He was executed in 2016. Mumtaz Qadri became a hero for millions and hardliners praised him as a martyr. He is regarded as a saint and a mausoleum has been built over his grave in his village near Islamabad, where even devotees come to offer prayers.

Asia Bibi was first sentenced to death by a trial court in 2010, however was later acquitted by the Supreme Court in a historic judgement of 2018. In 2019, Pakistan’s Supreme Court ruled that she was free to leave Pakistan and was given asylum in Canada where she moved along with her family.

Although after a long struggle, Asia Bibi still got justice and was able to start a new life—unfortunately many others didn’t. Many met with Mob Justice.

In 2017, a journalism student at a Pakistani University was lynched to death by fellow students in Mardan—in the province of Khyber Pakhtunkhwa. The student—Mashal Khan—was a Shia Muslim and was falsely accused of blasphemy. The mob was enraged by a rumour according to which he had promoted the Ahmadi faith on Facebook. In a similar instance, a man named Tahrir Ahmad Naseem was killed by vigilantes in July last year for blasphemy. He was a former Ahmadi, and was in Peshawar Central Jail since 2018 for claiming to be a prophet. He was shot dead inside the courtroom during trial in the Peshawar Judicial Complex.

Furthermore, in a case similar to that of Asia Bibi, a Christian couple—Shahzad and Shama Maseeh—were accused of blasphemy as well. They were then beaten and burned alive by a mob in 2014. Shama was four months pregnant. The mob, which also included a local cleric, believed that the couple had burned some pages of the Quran along with some rubbish, although the couple’s family still denies this. Five people including the cleric were sentenced to death, while the eight others were given two years imprisonment.

Last year, former Foreign and Defense Minister Khawaja Asif as well was accused of blasphemy for merely stating that “all religions are equal.”

Why is this happening?

According to data by Pakistan’s Centre for Social Justice, there have been 1549 known cases of serious blasphemy in the years 1987-2017, out of which 720 were Muslims, 516 Ahmadis, 238 Christians, 31 Hindus, and the rest 44 are unknown. 75 out of the total cases ended in the person being murdered before their trial.

There are 13 countries in the world which punish blasphemy by death penalty and Pakistan happens to be one of them. But unlike countries like Iran and Saudi Arabia where they are executed judicially—as mentioned earlier—accused in Pakistan are often killed in mob violence or assassination. While Saudi Arabia and Iran continue to top in terms of the highest number of executions, most of them for sacrilege or crimes against Islam, Pakistan’s total ‘judiciary’ killings stand at zero.

The problem of this mob mentality in Pakistan, especially when it comes to religion, is actually deeply rooted in its constitution. The country’s aspiration to become a democracy as well as an Islamic state is in itself contradictory. The people want the right to freedom and expression and the hanging of a person committing blasphemy at the same time. The constitution denies criticism of Islam while claiming to allow freedom of speech and religion. The elevation of one religion over others in itself is principally undemocratic.

Another interesting point is the fact that the people supporting these ideas haven’t been aware of how things can backfire. Muhammad Din Taseer—father of Salman Taseer—supported Ilam Din, who murdered a Hindu publisher over blasphemy in 1929. An ancestor’s support for radicalism ended up in his own offspring being assassinated in the name of blasphemy.

Mental illness and blasphemy

In Pakistan, often some mentally ill people are punished to death by mobs for unknowingly ‘committing’ blasphemy. In 2012, a man widely reported by the media and police as ‘mentally unstable’ was arrested for blasphemy in Bahawalpur district, Punjab province. A mob gathered outside the police station, dragged him outside, and burned him to death. There have also been cases of misuse where such vulnerable individuals were subjected to sexual abuse and later accused of blasphemy by the abusers to cover up their crimes.

Such abuses towards mentally unsound people would have been a criminal case and the abusers would have been punished—unless they use the blasphemy law—as the mentally unstable victim cannot defend themselves.

Role of Anti-Terrorism courts

Pakistan’s Anti-Terrorism courts were set up to ensure quick justice in cases such as terrorism, sectarian violence, targeted political killings, hijacking, kidnapping, extortion and even arms trafficking. Earlier gang rape was also included in it—but removed later.

They are also key to controlling mob attacks on blasphemy accused as such trials are held here.

Yet, these courts have been facing several problems due to lack of basic resources and understaffing. The posts of judges often remain vacant for months, and the state prosecutors complain of poor working conditions—with no offices, stationery, clerical staff or legal resources. These problems may have risen due to the fact that there are not sufficient funds allotted for the ATC infrastructure, one of the major challenges in Pakistan’s legal system. Due to this, these courts are not able to fulfill their primary objective—to provide ‘quick’ justice.

Moreover, these courts lack independence and are vulnerable to political influence—the judges are held accountable to the executive. Sometimes the witnesses often refuse to testify against the accused, as they fear assassination by terrorist groups the accused belongs to. The judges, state prosecutors and others also have personal security concerns which also lead to delays in trials.

Also, these courts deny terrorism suspects the right to equality before the law. They are not even tried in a public place with full defense and are not presumed innocent. Peshawar High Court advocate Ghulam Nabi even challenged the Anti-Terrorism (Amendment) Ordinance 2009 under Article 199 of the constitution in December 2009, saying that it violated basic human rights.

The blasphemy laws of Pakistan need to be repealed in today's Global civic society. People are fighting for equality everywhere around the globe. And now it is up to Pakistan to choose—whether to become a democracy or continue with a pseudo-democratic authoritarian regime which is based on extremist interpretation of religion.

Read More